CN113205195A - Method, device, equipment and storage medium for determining type of alarm information - Google Patents
Method, device, equipment and storage medium for determining type of alarm information Download PDFInfo
- Publication number
- CN113205195A CN113205195A CN202110603268.4A CN202110603268A CN113205195A CN 113205195 A CN113205195 A CN 113205195A CN 202110603268 A CN202110603268 A CN 202110603268A CN 113205195 A CN113205195 A CN 113205195A
- Authority
- CN
- China
- Prior art keywords
- alarm information
- alarm
- information
- type
- historical
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 48
- 238000003860 storage Methods 0.000 title claims abstract description 11
- 230000008859 change Effects 0.000 claims abstract description 55
- 238000012549 training Methods 0.000 claims description 21
- 238000012706 support-vector machine Methods 0.000 claims description 20
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 7
- 239000013598 vector Substances 0.000 description 28
- 238000012423 maintenance Methods 0.000 description 17
- 230000006870 function Effects 0.000 description 12
- 238000004891 communication Methods 0.000 description 9
- 238000012360 testing method Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000013461 design Methods 0.000 description 6
- 238000004422 calculation algorithm Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000004519 manufacturing process Methods 0.000 description 5
- 238000005070 sampling Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000009826 distribution Methods 0.000 description 3
- JEJAGQKHAKDRGG-UHFFFAOYSA-N 2,2-dichloroethenyl dimethyl phosphate;(2-propan-2-yloxyphenyl) n-methylcarbamate Chemical compound COP(=O)(OC)OC=C(Cl)Cl.CNC(=O)OC1=CC=CC=C1OC(C)C JEJAGQKHAKDRGG-UHFFFAOYSA-N 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013145 classification model Methods 0.000 description 1
- 238000002790 cross-validation Methods 0.000 description 1
- 238000003066 decision tree Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q10/00—Administration; Management
- G06Q10/20—Administration of product repair or maintenance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/21—Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
- G06F18/214—Generating training patterns; Bootstrap methods, e.g. bagging or boosting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/241—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
- G06F18/2411—Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F18/00—Pattern recognition
- G06F18/20—Analysing
- G06F18/24—Classification techniques
- G06F18/243—Classification techniques relating to the number of classes
- G06F18/24323—Tree-organised classifiers
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Vision & Pattern Recognition (AREA)
- Bioinformatics & Computational Biology (AREA)
- Evolutionary Biology (AREA)
- Evolutionary Computation (AREA)
- Bioinformatics & Cheminformatics (AREA)
- General Engineering & Computer Science (AREA)
- Artificial Intelligence (AREA)
- Life Sciences & Earth Sciences (AREA)
- Business, Economics & Management (AREA)
- Human Resources & Organizations (AREA)
- Economics (AREA)
- Entrepreneurship & Innovation (AREA)
- Marketing (AREA)
- Operations Research (AREA)
- Quality & Reliability (AREA)
- Strategic Management (AREA)
- Tourism & Hospitality (AREA)
- General Business, Economics & Management (AREA)
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method, a device, equipment and a storage medium for determining the type of alarm information, relates to the technical field of data processing, and can quickly and accurately identify effective alarm information of an application system. The method comprises the following steps: acquiring alarm information of an application system; determining the characteristics of the alarm information based on the alarm information; the characteristics of the alarm information comprise at least one of repeated alarm identification, alarm level, associated change identification or alarm content blacklist identification; generating input information in a target format based on the characteristics of the alarm information; inputting the input information of the target format into a preset alarm information model, and identifying the type of the input information of the target format to determine the type of the alarm information. The method of the application automatically determines whether the type of the alarm information is effective alarm information or invalid alarm information by using the preset alarm information, thereby being capable of rapidly and accurately identifying the effective alarm information of the application system.
Description
Technical Field
The present application relates to the field of data processing technologies, and in particular, to a method, an apparatus, a device, and a storage medium for determining a type of alarm information.
Background
The operation and maintenance personnel usually determine whether the application system can provide services normally according to the alarm information generated by the application system. However, in practical applications, there may be cases where the alarm information generated by the application system is invalid. This requires the operation and maintenance personnel to identify whether the alarm information is valid.
The operation and maintenance personnel identify whether the alarm information is effective or not and need to have certain knowledge storage and distribution. In practical application, even if each operation and maintenance person has a certain knowledge reserve, the efficiency of manually identifying the effectiveness of the alarm information is low. Therefore, when the application system cannot provide services normally, operation and maintenance personnel cannot determine the reason why the application system cannot provide services normally or the application system cannot provide services normally in time, and user experience is poor.
Disclosure of Invention
The application provides a method, a device, equipment and a storage medium for determining the type of alarm information, which can quickly and accurately identify effective alarm information of an application system.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, the present application provides a method for determining a type of alarm information, where the method includes: acquiring alarm information of an application system; determining the characteristics of the alarm information based on the alarm information; the characteristics of the alarm information comprise at least one of repeated alarm identification, alarm level, associated change identification or alarm content blacklist identification; generating input information in a target format according to the characteristics of the alarm information; inputting the input information in the target format into a preset alarm information model, and identifying the type of the input information in the target format to determine the type of the alarm information; the type includes valid alarm information or invalid alarm information.
According to the method for determining the type of the alarm information, the type of the alarm information is determined to be effective alarm information or invalid alarm information by acquiring the characteristics of the alarm information and utilizing a preset alarm information model based on the characteristics of the alarm information. According to the scheme, the type of the alarm information is automatically determined to be the effective alarm information or the invalid alarm information by using the preset alarm information model, so that the effective alarm information of the application system can be rapidly and accurately identified, and then when the application system can not normally provide services, operation and maintenance personnel can timely determine the reason that the application system can not normally provide the services or the application system can not normally provide the services, and the user experience is improved.
In a second aspect, the present application provides an apparatus for determining a type of alarm information, the apparatus comprising: the acquisition unit is used for acquiring the alarm information of the application system; a determination unit configured to determine a characteristic of the warning information based on the warning information acquired by the acquisition unit; the characteristics of the alarm information comprise at least one of repeated alarm identification, alarm level, associated change identification or alarm content blacklist identification; the determining unit is further configured to generate input information in a target format according to the characteristics of the alarm information; the determining unit is further configured to input the input information in the target format into a preset alarm information model to determine a type of the alarm information; the type includes valid alarm information or invalid alarm information.
The device for determining the type of the alarm information provided by the application determines whether the type of the alarm information is effective alarm information or invalid alarm information by acquiring the characteristics of the alarm information and utilizing a preset alarm information model based on the characteristics of the alarm information. According to the scheme, the type of the alarm information is automatically determined to be the effective alarm information or the invalid alarm information by using the preset alarm information model, so that the effective alarm information of the application system can be rapidly and accurately identified, and then when the application system can not normally provide services, operation and maintenance personnel can timely determine the reason that the application system can not normally provide the services or the application system can not normally provide the services, and the user experience is improved.
In a third aspect, the present application provides an apparatus for determining a type of alert information, including a memory and a processor. The memory is coupled to the processor. The memory is for storing computer program code comprising computer instructions. The apparatus for determining the type of alarm information performs the method for determining the type of alarm information as described in the first aspect and any one of its possible designs when the processor executes the computer instructions.
In a fourth aspect, the present application provides a computer-readable storage medium, which stores instructions that, when running on a device for determining a type of alarm information, cause the device for determining a type of alarm information to perform a method for determining a type of alarm information according to the first aspect and any one of its possible design manners.
In a fifth aspect, the present application provides a computer program product, which includes computer instructions, when the computer instructions are run on an apparatus for determining a type of alarm information, cause the apparatus for determining a type of alarm information to perform the method for determining a type of alarm information according to the first aspect and any one of its possible design manners; or performing the method for determining the type of the alarm information according to the second aspect and any possible design thereof.
For a detailed description of the third to fifth aspects and their various implementations in this application, reference may be made to the detailed description of the first aspect, the second aspect and their various implementations; for the beneficial effects of the third aspect to the fifth aspect and various implementation manners thereof, reference may be made to beneficial effect analysis in the first aspect, the second aspect and various implementation manners thereof, and details are not described here.
These and other aspects of the present application will be more readily apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a first flowchart of a method for determining a type of alarm information according to an embodiment of the present application;
fig. 2 is a second flowchart illustrating a method for determining a type of alarm information according to an embodiment of the present application;
fig. 3 is a third schematic flowchart of a method for determining a type of alarm information according to an embodiment of the present application;
fig. 4 is a schematic hardware structure diagram of an apparatus for determining a type of alarm information provided in an embodiment of the present application;
fig. 5 is a schematic structural diagram of an apparatus for determining a type of alarm information provided in an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present application, "a plurality" means two or more unless otherwise specified.
At present, operation and maintenance personnel judge whether an application system can normally provide services or not through alarm information generated by the application system of an enterprise. However, in practical applications, there may be cases where the alarm information generated by the application system is invalid, and therefore, operation and maintenance personnel are required to identify whether the alarm information is valid.
The operation and maintenance personnel can judge whether the application system can normally provide the service or not according to the effective alarm information, or determine the reason causing the application system to fail to normally provide the service.
The operation and maintenance personnel need to have certain knowledge storage and distribution to identify whether the alarm information is effective or not, and the efficiency of manually identifying the effectiveness of the alarm information is also lower. Therefore, when the application system cannot provide services normally, operation and maintenance personnel cannot determine the reason why the application system cannot provide services normally or the application system cannot provide services normally in time, and user experience is poor.
In addition, with the rapid development of business, enterprises have higher and higher requirements on the performance of application systems. Therefore, the size of the application system is getting larger, the alarm information generated by the application system is also greatly increased, and the time for the operation and maintenance personnel to identify whether the alarm information is effective is also greatly increased. Therefore, when the application system cannot provide the service normally, the operation and maintenance personnel cannot timely determine that the application system cannot provide the service normally or cause that the application system cannot provide the service normally.
In order to solve the problems, the application provides a method for determining the type of the alarm information, and the method utilizes an alarm information model to automatically determine whether the type of the alarm information is the effective alarm information or the invalid alarm information, so that the effective alarm information of the application system can be quickly and accurately identified, and when the application system cannot normally provide services, operation and maintenance personnel can timely determine the reason that the application system cannot normally provide the services or the application system cannot normally provide the services, and user experience is improved.
An execution subject of the method for determining the type of the alarm information provided in the embodiment of the present application is a determination device (hereinafter referred to as a determination device) of the type of the alarm information. The determining device may be a server of an enterprise application system, a Central Processing Unit (CPU) in the server, a control module in the server for determining a type of the alarm information, or a client in the server for determining a type of the alarm information.
The following describes a method for determining the type of the alarm information provided in the embodiment of the present application.
As shown in fig. 1, the method for determining the type of the alarm information includes:
s101, the determining device obtains the alarm information of the application system.
The application system is an application system of an enterprise. Such as a bank application.
The warning information is information generated by the application system of the enterprise and used for indicating whether the application system of the enterprise can normally provide services.
Optionally, the alarm information may include an alarm event, an alarm reason, and alarm content.
S102, the determining device determines the characteristics of the alarm information based on the alarm information.
Optionally, the characteristic of the alarm information may include at least one of a repeated alarm flag, an alarm level, an association change flag, or an alarm content blacklist flag.
Further, when the characteristics of the alarm information include a repeated alarm identifier, an alarm level, an association change identifier and an alarm content blacklist identifier, whether the alarm information is valid alarm information or invalid alarm information can be accurately determined according to the repeated alarm identifier, the alarm level, the association change identifier and the alarm content blacklist identifier.
And the alarm level is used for indicating the fault degree of the application system.
Optionally, the alarm levels may be classified into 1 to 4 levels, i.e., a level 1 alarm, a level 2 alarm, a level 3 alarm, and a level 4 alarm, according to priority. The level 1 alarm, the level 2 alarm and the level 3 alarm are used for indicating that the alarm information is valid alarm information, and the level 4 alarm is used for indicating that the alarm information is possibly invalid alarm information.
And the repeated alarm identifier is used for indicating whether the alarm information is the alarm information which appears repeatedly.
Optionally, the repeated alarm flag includes 0 or 1. For example, the alarm information repeatedly appears within 1 minute for a plurality of times, only the repeated alarm flag of the first alarm information is 0, and the repeated alarm flags of other alarm information are all 1. That is, the alarm information whose repeated alarm flag is 1 is invalid alarm information, and the alarm information whose repeated alarm flag is 0 is valid alarm information.
And the associated change identifier is used for indicating whether the alarm information is the alarm information generated by the system upgrading activity implemented by the application system of the enterprise in the production environment.
Optionally, the association change identifier includes 0 or 1. For example, if the association change flag is 1, it indicates that the alarm information is alarm information generated by a system upgrade activity performed by an application system of the enterprise in a production environment, that is, the alarm information is invalid alarm information. If the associated change flag is 0, it indicates that the alarm information is not the alarm information generated by the system upgrade activity implemented by the application system of the enterprise in the production environment, i.e. the alarm information is valid alarm information.
And the alarm content blacklist mark is used for indicating whether the content of the alarm information belongs to the content in the alarm content blacklist.
Optionally, the alarm content blacklist identifier includes 0 or 1. For example, if the alarm content blacklist is marked as 1, it indicates that the content of the alarm information belongs to the content in the alarm content blacklist, that is, the alarm information is invalid alarm information. If the alarm content blacklist is 0, it indicates that the content of the alarm information does not belong to the content in the alarm content blacklist, i.e. the alarm information is valid alarm information.
Optionally, the characteristics of the alarm information may further include an alarm serial number, an alarm system name, an internet protocol address (IP) from which the alarm information is sent, alarm content, an alarm notification team, and alarm time.
S103, the determining device generates input information in a target format according to the characteristics of the alarm information.
After the determination means determines the feature of the alarm information based on the alarm information, the determination means may determine a feature vector of the alarm information based on the alarm information.
For example, when the characteristic of the alarm information includes a repeated alarm flag, an alarm level, an association change flag, and an alarm content blacklist flag, the determining device may determine specific values of the repeated alarm flag, the alarm level, the association change flag, and the alarm content blacklist flag from the alarm information (e.g., the repeated alarm flag of the alarm information is 0, the alarm level is 1, the association change flag is 1, and the alarm content blacklist flag is 0), so as to determine a feature vector of the alarm information (e.g., the feature vector of the alarm information may include 0, 1, 1, 0) according to the specific values of the repeated alarm flag, the alarm level, the association change flag, and the alarm content blacklist flag.
Because the format of the feature vector of the alarm information determined by the determining device may be different from the input format of the preset alarm information model, the determining device may generate the input information conforming to the input format of the alarm information model according to the feature vector of the alarm information under the condition that the format of the feature vector of the alarm information determined by the determining device is different from the input format of the preset alarm information model. That is, after the determination means determines the feature vector of the alarm information based on the feature of the alarm information, the determination means may determine the input information of the target format of the alarm information based on the feature vector of the alarm information.
The target format is an input format of the alarm information model. Illustratively, when the alarm information model is a Support Vector Machine (SVM) model, the target format is an input format conforming to the SVM model.
S104, the determining device inputs the input information in the target format into a preset alarm information model, and identifies the type of the input information in the target format to determine the type of the alarm information.
The types of the alarm information include valid alarm information or invalid alarm information.
The preset alarm information model is used for determining the type of the alarm information, namely determining that the alarm information is valid alarm information or invalid alarm information.
Optionally, the preset alarm information model may be a support vector machine SVM model, and the preset alarm information model may also be a decision tree classification model, which is not limited in the embodiment of the present application.
According to the method for determining the type of the alarm information, the type of the alarm information is determined to be effective alarm information or invalid alarm information by acquiring the characteristics of the alarm information and utilizing a preset alarm information model based on the characteristics of the alarm information. According to the scheme, the type of the alarm information is automatically determined to be the effective alarm information or the invalid alarm information by using the preset alarm information model, so that the effective alarm information of the application system can be rapidly and accurately identified, and then when the application system can not normally provide services, operation and maintenance personnel can timely determine the reason that the application system can not normally provide the services or the application system can not normally provide the services, and the user experience is improved.
It should be noted that, before the determining device inputs the input information in the target format into the preset alarm information model and identifies the type of the input information in the target format, the determining device may determine the alarm information model according to the historical alarm information of the application system. Optionally, in conjunction with fig. 1, as shown in fig. 2, S105-S107 may be included before S104.
S105, the determining device obtains the historical alarm information of the application system and the type of the historical alarm information.
The historical alarm information is generated by an application system of the enterprise. The historical alarm information can be a plurality.
The types of the historical alarm information comprise valid historical alarm information or invalid historical alarm information.
Optionally, the determining device may obtain the historical warning information of the application system from the application system every preset time period. The preset time period may be one week. For example, the determination device may obtain the historical alarm information of the last week of the application system by the Monday application system
Optionally, the historical alarm information may include an alarm serial number, an alarm level, an alarm system name, an IP address from which the alarm information is sent, alarm content, an alarm notification team, an alarm time, a repeat alarm flag, an association change flag, and an alarm content blacklist flag.
Optionally, after acquiring the historical alarm information, the determining device may store the historical alarm information in a manner shown in table 1. The field description corresponding to the field w _ seq is the alarm sequence number, and the field description corresponding to the field w _ level is the alarm level, which may be 1, 2, 3, or 4, where 1 represents a level 1 alarm, 2 represents a level 2 alarm, 3 represents a level 3 alarm, and 4 represents a level 4 alarm. The field w _ appname corresponds to the alarm system name. The field corresponding to the field w _ IP is described as the IP address for sending the alarm information. The field corresponding to field w _ dep is illustrated as an alarm notification team. The field corresponding to the field w _ content is described as the alarm content. The field corresponding to field w _ dep is illustrated as an alarm notification team. The field corresponding to field w _ date is described as alarm time. The field corresponding to the field w _ repeat flag is described as a repeat alarm flag. The repeated alarm flag may be 0 or 1, the historical alarm information is identified as repeated alarm information when the repeated alarm flag is 1, and the historical alarm information is identified as not repeated alarm information when the repeated alarm flag is 0. The field description corresponding to the field w _ chgflg is the associated change identification. The associated change identification may be 0 or 1. When the associated change flag is 1, the history alarm information is alarm information generated by the system upgrading activity performed by the application system of the enterprise in the production environment, and when the associated change flag is 0, the history alarm information is not alarm information generated by the system upgrading activity performed by the application system of the enterprise in the production environment. And the field corresponding to the field w _ blackflag is described as the alarm content blacklist identifier. The alarm content blacklist identification may be 0 or 1. When the alarm content blacklist mark is 1, the content of the historical alarm information belongs to the content in the alarm content blacklist, and the alarm content blacklist mark is 0, which indicates that the content of the historical alarm information does not belong to the content in the alarm content blacklist. The field corresponding to the field w _ dataset is described as the sampling type of the historical alarm information. The sampling type may be S or T. And when the sampling type is S, the historical alarm information is used as training set data to train an alarm information model, and when the sampling type is T, the historical alarm information is used as test set data to test the alarm information model.
TABLE 1
Optionally, after acquiring the historical alarm information, the determining device may perform preprocessing on the historical alarm information. Namely, the values of repeated alarm marks, associated change marks and alarm content blacklist marks in the historical alarm information are determined.
Optionally, the determining device may retrieve the change information table according to the name of the alarm system, the alarm time, and the IP address from which the alarm information is sent, and determine the value of the associated change identifier of each piece of historical alarm information. For example, the valid change record can be matched in the change time range, the value of the w _ chgflg field of the historical alarm data is 1, otherwise, the value of the w _ chgflg field of the historical alarm data is 0.
Illustratively, as shown in table 2, the change information table includes a field chg _ no, a field chgsys _ name, a field chg _ start, a field chg _ end, a field chg _ ip, and a field chg _ flag. A field description corresponding to the field chg _ no is a change number, a field description corresponding to the field chgsys _ name is a change system name, a field description corresponding to the field chg _ start is a change start time, a field description corresponding to the field chg _ end is a change end time, a field description corresponding to the field chg _ ip is a change ip address, and a field description corresponding to the field chg _ flag is a change valid flag. The change valid flag includes 1 or 2, a change valid flag of 1 indicates that the association change is valid, and a change valid flag of 2 indicates that the association change is invalid.
TABLE 2
| Numbering | Name of field | Description of field |
| 1 | chg_no | Change number |
| 2 | chgsys_name | Changing system names |
| 3 | chg_startdate | Change start time |
| 4 | chg_enddate | End time of change |
| 5 | chg_ip | Changing ip addresses |
| 6 | chg_flag | Change valid flag 1-valid 2-invalid |
Optionally, the determining device may retrieve the alarm content blacklist table according to the alarm system name, the alarm content, and the IP address sending the alarm information, and determine the value of the alarm content blacklist identifier of each historical alarm information. For example, the history alarm information contains invalid alarm keywords in the alarm content blacklist table, and the w _ blackflag field of the history alarm information is marked as 1, that is, the value of the alarm content blacklist identifier of the history alarm information is 1, otherwise, the value of the alarm content blacklist identifier of the history alarm information is 0.
Illustratively, as shown in table 3, the alarm content blacklist table includes a field w _ no, a field w _ sysname, a field w _ ip, and a field w _ keyword. The field description corresponding to the field w _ no is a number, the field description corresponding to the field w _ sysname is an alarm system name, the field description corresponding to the field w _ IP is a system IP address, and the field description corresponding to the field w _ keyword is an invalid alarm keyword.
TABLE 3
| Numbering | Name of field | Description of field |
| 1 | w_no | Numbering |
| 2 | w_sysname | Alarm system name |
| 3 | w_ip | System ip address |
| 4 | w_keyword | Invalid alarm keywords |
Optionally, the determining apparatus may use the first 70% of the historical alarm information as training set data, that is, set the field w _ dataset of the first 70% of the historical alarm information as S, for training the alarm information model. The determination device may use the last 30% of the historical alarm information as the test set data, that is, set the field w _ dataset of the last 30% of the historical alarm information to T, for testing the alarm information model.
The determination means may determine the characteristic of the historical alarm information based on the historical alarm information after acquiring the historical alarm information of the application system.
S106, the determining device determines the characteristics of the historical alarm information based on the historical alarm information.
The characteristics of the historical alarm information comprise at least one of repeated alarm identification, alarm level, associated change identification or alarm content blacklist identification.
Alternatively, the characteristics of the historical alarm information may be the same as those of the alarm information described above.
Furthermore, when the characteristics of the historical alarm information comprise repeated alarm identification, alarm level, associated change identification and alarm content blacklist identification, the trained alarm information model can be accurate according to the vectors of the repeated alarm identification, the alarm level, the associated change identification and the alarm content blacklist identification.
Optionally, the characteristics of the historical alarm information may further include an alarm serial number, an alarm system name, an internet protocol address (IP) from which the alarm information is sent, alarm content, an alarm notification team, and alarm time.
And S107, the determining device carries out iterative training on the initial model based on the characteristics of the historical alarm information and the type of the historical alarm information so as to determine an alarm information model.
Optionally, in conjunction with fig. 2, as shown in fig. 3, the S107 may include S1071-S1072.
S1071, the determining device generates input information of a target format of the historical alarm information according to the characteristics of the historical alarm information and the type of the historical alarm information.
The target format is an input format of the alarm information model.
The input information of the target format of the historical alarm information may include a feature vector of the historical alarm information and a value corresponding to the type of the historical alarm information.
After the determination means determines the feature of the historical alarm information based on the historical alarm information, the determination means may determine the feature vector of the historical alarm information based on the historical alarm information.
For example, when the characteristic of the historical alarm information includes a repeated alarm identifier, an alarm level, an association change identifier, and an alarm content blacklist identifier, the determining device may determine specific values of the repeated alarm identifier, the alarm level, the association change identifier, and the alarm content blacklist identifier (e.g., the repeated alarm identifier of the alarm information is 0, the alarm level is 1, the association change identifier is 1, and the alarm content blacklist identifier is 0) from the historical alarm information, so as to determine a feature vector of the historical alarm information (e.g., the feature vector of the historical alarm information may include 0, 1, 1, 0) according to the specific values of the repeated alarm identifier, the alarm level, the association change identifier, and the alarm content blacklist identifier.
Optionally, after the determining device determines the feature vector of the historical alarm information, a target value (i.e., a value corresponding to the type of the historical alarm information) may be set for the feature vector of each historical alarm information, so that the feature vector of the historical alarm information and the corresponding target value are used as input data of a training alarm information model. The target value represents a value corresponding to the type of the historical alarm information, and the target value can be 1 or-1. A target value of 1 indicates that the type of the history alarm information is valid history alarm information. A target value of-1 indicates that the type of historical alarm information is invalid historical alarm information.
After the determining device determines the characteristic vector and the corresponding target value of the historical alarm information, the determining device conducts iterative training on the initial model based on the characteristic vector and the value corresponding to the type of the historical alarm information, and determines an alarm information model.
Since the formats of the feature vector of the historical alarm information and the corresponding target value determined by the determining device may be different from the input format of the alarm information model, the determining device may generate the input information conforming to the input format of the alarm information model according to the feature vector of the historical alarm information and the corresponding target value when the formats of the feature vector of the historical alarm information and the corresponding target value determined by the determining device are different from the preset input format of the alarm information model.
After the determination device determines the value based on the feature vector of the historical alarm information and the value corresponding to the type of the historical alarm information, the determination device can determine the input information of the target format of the historical alarm information according to the feature vector of the historical alarm information and the value corresponding to the type of the historical alarm information. Illustratively, when the alarm information model is a support vector machine SVM model and the characteristics of the historical alarm information include a repeated alarm flag, an alarm level, an association change flag, and an alarm content blacklist flag, as shown in table 4, the input information in the target format includes target values (i.e., tags) of a plurality of historical alarm information, first-dimension feature labels (corresponding to the repeated alarm flags), first-dimension feature values (corresponding to the values of the repeated alarm flags), second-dimension feature labels (corresponding to the alarm level), second-dimension feature values (corresponding to the values of the alarm level), third-dimension feature labels (corresponding to the association change flag), third-dimension feature values (corresponding to the values of the association change flag), fourth-dimension feature labels (corresponding to the blacklist flag of the alarm content), and fourth-dimension feature values (corresponding to the blacklist flag of the alarm content).
TABLE 4
Since the SVM model requires that the processed data are all real numbers, the conversion is performed for the attribute whose feature value is a class. For example, as shown in table 5, the alarm levels include (level 1 alarm, level 2 alarm, level 3 alarm, level 4 alarm), which can be converted into 4 attributes, the first alarm data is a level 1 alarm, the second alarm is a level 2 alarm, and so on.
TABLE 5
| Level 1 alerting | Level 2 alerting | Level 3 alerting | Level 4 alerting |
| 1 | 0 | 0 | 0 |
| 0 | 1 | 0 | 0 |
| 0 | 0 | 1 | 0 |
| 0 | 0 | 0 | 1 |
The determining device generates the input information in the target format according to the characteristic vector of the historical alarm information and the value corresponding to the type of the historical alarm information, can prevent a certain characteristic value from being too large or too small, thereby playing an unbalanced role in training, and can improve the calculation speed.
Optionally, the determining device may respectively generate the input information in the target format from the historical alarm information in the training set and the historical alarm information in the testing set.
S1072, the determining device conducts iterative training on the initial model based on the input information of the historical alarm information to determine an alarm information model.
Optionally, the determining device generates the historical alarm information in the training set and the historical alarm information in the testing set into corresponding input information in a target format, and before performing iterative training on the initial model, the algorithm parameters of the initial model need to be set, that is, the algorithm parameters of the alarm information model are set.
Exemplarily, when the alarm information model is an SVM model, the most important parameters include: kernel functions, gamma and C-loss functions are required to be set before training the SVM model.
The first step is as follows: kernel function selection (RBF). When the feature vector of the alarm information comprises four repeated alarm marks, alarm levels, associated change marks and alarm content blacklist marks, linear divisibility cannot be achieved in a two-dimensional space, the kernel function can be used for mapping original data to a high-dimensional space, and linear classification is carried out in the high-dimensional space. The SVM algorithm has demonstrated that: if the number of features (attributes) of the data is limited, a high-dimensional feature space must exist, and a hyperplane capable of correctly dividing two types of samples exists in the space.
gamma is a parameter of the RBF core, the distribution of the data after being mapped to a new feature space is determined, the larger the gamma is, the fewer the support vectors are, the smaller the gamma is, the more the support vectors are, and the number of the support vectors influences the speed of training and prediction.
The C-loss function is a parameter of the RBF core and measures the accuracy of the model for data classification prediction.
The second step is that: before training the SVM model, which value of two parameters, namely gamma and C-loss function, is the best can not be determined, and the best parameter value needs to be obtained through a grid-search cross validation method, so that the SVM model can predict unknown data more accurately and more quickly, and the process is called kernel function training.
The third step: and training the SVM model by using the optimal gamma and C-loss function parameters to obtain a model file w _ trancataset.
And after obtaining the model file w _ triandaset.model, predicting the historical alarm information files in the test set obtained after the characteristics are extracted by using the model file w _ triandaset.model to obtain a prediction result, wherein the prediction result comprises the classification result of each piece of historical alarm information in the test set and the classification accuracy. And the SVM model with the accuracy rate of more than 90% is used for determining the type of the new alarm information.
And for the invalid alarm information determined by the SVM model, the state of the invalid alarm information is automatically changed to 1, namely invalid, and manual processing is not needed.
S104 to S106 may be performed before S103, before S102, or before S101, and this is not limited in the present embodiment. The above embodiment is exemplified by only the above S104 to S106 before the above S103.
According to the method for determining the type of the alarm information, the type of the alarm information is determined to be effective alarm information or invalid alarm information by acquiring the characteristics of the alarm information and utilizing a preset alarm information model based on the characteristics of the alarm information. According to the scheme, the type of the alarm information is automatically determined to be the effective alarm information or the invalid alarm information by using the preset alarm information model, so that the effective alarm information of the application system can be rapidly and accurately identified, and then when the application system can not normally provide services, operation and maintenance personnel can timely determine the reason that the application system can not normally provide the services or the application system can not normally provide the services, and the user experience is improved.
The scheme provided by the embodiment of the application is mainly introduced from the perspective of a method. To implement the above functions, it includes hardware structures and/or software modules for performing the respective functions. Those of skill in the art would readily appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as hardware or combinations of hardware and computer software. Whether a function is performed as hardware or computer software drives hardware depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
As shown in fig. 4, an embodiment of the present application provides a device 400 for determining the type of alarm information. The determination device 400 of the type of alert information may include at least one processor 401, a communication line 402, a memory 403, and a communication interface 404.
In particular, the processor 401 is configured to execute computer-executable instructions stored in the memory 403, thereby implementing steps or actions of the terminal.
The processor 401 may be a chip. For example, the Field Programmable Gate Array (FPGA) may be an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Micro Controller Unit (MCU), a Programmable Logic Device (PLD) or other integrated chips.
A communication line 402 for transmitting information between the processor 401 and the memory 403.
A memory 403 for storing and executing computer-executable instructions, and controlled by the processor 401.
The memory 403 may be separate and coupled to the processor via the communication line 402. The memory 403 may be either volatile memory or nonvolatile memory, or may include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, and not limitation, many forms of RAM are available, such as Static Random Access Memory (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM). It should be noted that the memory of the systems and devices described herein is intended to comprise, without being limited to, these and any other suitable types of memory.
A communication interface 404 for communicating with other devices or a communication network. The communication network may be an ethernet, a Radio Access Network (RAN), or a Wireless Local Area Network (WLAN).
It is noted that the structure shown in fig. 4 does not constitute a limitation of the determination device of the type of alarm information, and the determination device of the type of alarm information may include more or less components than those shown in fig. 4, or combine some components, or a different arrangement of components, in addition to the components shown in fig. 4.
As shown in fig. 5, an embodiment of the present application provides an apparatus 500 for determining the type of alarm information. The determination device 500 for the type of the alarm information may include an acquisition unit 501 and a determination unit 502.
The obtaining unit 501 is configured to obtain alarm information of an application system. For example, in conjunction with fig. 1, the obtaining unit 501 may be configured to perform S101.
The determining unit 502 is configured to determine a characteristic of the alarm information based on the alarm information. For example, in connection with fig. 1, the determination unit 502 may be configured to perform step S102.
The determining unit 502 is further configured to generate input information in a target format according to the characteristics of the alarm information. For example, in connection with fig. 1, the determination unit 502 may be configured to perform step S103.
The determining unit 503 is further configured to input the input information in the target format into a preset alarm information model, and identify the type of the input information in the target format to determine the type of the alarm information. For example, in connection with fig. 1, the determining unit 503 may be configured to perform step S104.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
In actual implementation, the obtaining unit 501 and the determining unit 502 may be implemented by the processor 401 shown in fig. 4 calling the program code in the memory 403. The specific implementation process may refer to the description of the method part in the method for determining the type of the alarm information shown in fig. 1 to 3, and is not described herein again.
Another embodiment of the present application further provides a computer-readable storage medium, where a computer instruction is stored in the computer-readable storage medium, and when the computer instruction runs on a device for determining a type of alarm information, the device for determining a type of alarm information is enabled to perform the steps performed by the device for determining a type of alarm information in the method flow shown in the foregoing method embodiment.
In another embodiment of the present application, a computer program product is further provided, where the computer program product includes instructions that, when executed on an apparatus for determining a type of alarm information, cause the apparatus for determining a type of alarm information to perform the steps performed by the apparatus for determining a type of alarm information in the method flow shown in the foregoing method embodiment.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, devices and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus, and method may be implemented in other ways. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a logical division, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present application should be covered within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (10)
1. A method for determining the type of alarm information is characterized in that the method comprises the following steps:
acquiring alarm information of an application system;
determining the characteristics of the alarm information based on the alarm information; the characteristics of the alarm information comprise at least one of repeated alarm identification, alarm level, associated change identification or alarm content blacklist identification;
generating input information in a target format according to the characteristics of the alarm information;
inputting the input information in the target format into a preset alarm information model, and identifying the type of the input information in the target format to determine the type of the alarm information; the type includes valid alarm information or invalid alarm information.
2. The method of claim 1, further comprising:
acquiring historical alarm information of the application system and the type of the historical alarm information;
determining the characteristics of the historical alarm information based on the historical alarm information; the characteristics of the historical alarm information comprise at least one of repeated alarm identification, alarm level, association change and alarm content blacklist identification;
and performing iterative training on an initial model based on the characteristics of the historical alarm information and the type of the historical alarm information to determine the alarm information model.
3. The method of claim 2, wherein iteratively training an initial model to determine the alarm information model based on the characteristics of the historical alarm information and the type of the historical alarm information comprises:
generating input information of a target format of the historical alarm information according to the characteristics of the historical alarm information and the type of the historical alarm information;
and performing iterative training on an initial model based on the input information of the historical alarm information to determine the alarm information model.
4. The method according to any of claims 1-3, characterized in that the alarm information model is a Support Vector Machine (SVM) model.
5. An apparatus for determining a type of alarm information, the apparatus comprising:
the acquisition unit is used for acquiring the alarm information of the application system;
the determining unit is used for determining the characteristics of the alarm information based on the alarm information acquired by the acquiring unit; the characteristics of the alarm information comprise at least one of repeated alarm identification, alarm level, association change or alarm content blacklist identification;
the determining unit is further configured to generate input information in a target format according to the characteristics of the alarm information;
the determining unit is further configured to input the input information in the target format into a preset alarm information model, and identify the type of the input information in the target format to determine the type of the alarm information; the type includes valid alarm information or invalid alarm information.
6. The apparatus of claim 5, wherein the obtaining unit is further configured to:
acquiring historical alarm information of the application system and the type of the historical alarm information;
the determining unit is further configured to determine a feature of the historical alarm information based on the historical alarm information acquired by the acquiring unit; the characteristics of the historical alarm information comprise at least one of repeated alarm identification, alarm level, association change or alarm content blacklist identification;
the determining unit is further configured to perform iterative training on an initial model based on the characteristics of the historical alarm information and the type of the historical alarm information to determine the alarm information model.
7. The apparatus according to claim 6, wherein the determining unit is specifically configured to:
generating input information of a target format of the historical alarm information according to the characteristics of the historical alarm information and the type of the historical alarm information;
and performing iterative training on an initial model based on the input information of the historical alarm information to determine the alarm information model.
8. The apparatus according to any of claims 5-7, wherein the alarm information model is a Support Vector Machine (SVM) model.
9. A device for determining the type of alarm information is characterized in that the device for determining the type of alarm information comprises a memory and a processor; the memory and the processor are coupled; the memory for storing computer program code, the computer program code comprising computer instructions; the apparatus for determining the type of alert information, when the processor executes the computer instructions, performs the method for determining the type of alert information as claimed in any one of claims 1 to 4.
10. A computer-readable storage medium, characterized in that instructions are stored therein, which, when run on a determination device of the type of alert information, cause the determination device of the type of alert information to perform the determination method of the type of alert information according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110603268.4A CN113205195A (en) | 2021-05-31 | 2021-05-31 | Method, device, equipment and storage medium for determining type of alarm information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110603268.4A CN113205195A (en) | 2021-05-31 | 2021-05-31 | Method, device, equipment and storage medium for determining type of alarm information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113205195A true CN113205195A (en) | 2021-08-03 |
Family
ID=77024302
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110603268.4A Pending CN113205195A (en) | 2021-05-31 | 2021-05-31 | Method, device, equipment and storage medium for determining type of alarm information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113205195A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108717416A (en) * | 2018-03-30 | 2018-10-30 | 广州供电局有限公司 | Power equipment monitoring method, device, computer equipment and storage medium |
| CN110321268A (en) * | 2019-06-12 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of alarm information processing method and device |
| CN110517469A (en) * | 2019-08-08 | 2019-11-29 | 武汉兴图新科电子股份有限公司 | A kind of intelligent alarm convergence method suitable for audio-video convergence platform |
| US20200160230A1 (en) * | 2018-11-19 | 2020-05-21 | International Business Machines Corporation | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs |
| CN112787860A (en) * | 2020-12-30 | 2021-05-11 | 广东电网有限责任公司电力调度控制中心 | Root alarm analysis and identification method and device |
-
2021
- 2021-05-31 CN CN202110603268.4A patent/CN113205195A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108717416A (en) * | 2018-03-30 | 2018-10-30 | 广州供电局有限公司 | Power equipment monitoring method, device, computer equipment and storage medium |
| US20200160230A1 (en) * | 2018-11-19 | 2020-05-21 | International Business Machines Corporation | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs |
| CN110321268A (en) * | 2019-06-12 | 2019-10-11 | 平安科技(深圳)有限公司 | A kind of alarm information processing method and device |
| CN110517469A (en) * | 2019-08-08 | 2019-11-29 | 武汉兴图新科电子股份有限公司 | A kind of intelligent alarm convergence method suitable for audio-video convergence platform |
| CN112787860A (en) * | 2020-12-30 | 2021-05-11 | 广东电网有限责任公司电力调度控制中心 | Root alarm analysis and identification method and device |
Non-Patent Citations (1)
| Title |
|---|
| 韦瑞录 等: ""机器学习法在计量系统告警信息中的研究与应用"", 《价值工程》, no. 11, 18 April 2016 (2016-04-18) * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108683530B (en) | Data analysis method and device for multi-dimensional data and storage medium | |
| CN109885452B (en) | Performance monitoring method and device and terminal equipment | |
| CN112800095B (en) | Data processing method, device, equipment and storage medium | |
| CN107992490A (en) | A kind of data processing method and data processing equipment | |
| CN112311617A (en) | Configured data monitoring and alarming method and system | |
| CN112700131B (en) | AB test method and device based on artificial intelligence, computer equipment and medium | |
| CN110147657A (en) | A kind of user right configuration method and device | |
| CN112051771B (en) | Multi-cloud data acquisition method and device, computer equipment and storage medium | |
| CN111475494A (en) | Mass data processing method, system, terminal and storage medium | |
| CN111400294B (en) | Data anomaly monitoring method, device and system | |
| US11687598B2 (en) | Determining associations between services and computing assets based on alias term identification | |
| CN109558315B (en) | Method, device and equipment for determining test range | |
| CN113504996A (en) | Load balance detection method, device, equipment and storage medium | |
| CN110674832A (en) | Method, device and terminal for identifying enterprise to which Internet user belongs | |
| CN113205195A (en) | Method, device, equipment and storage medium for determining type of alarm information | |
| CN108429632B (en) | Service monitoring method and device | |
| CN112579571B (en) | Monitoring data configuration, data monitoring method, device, equipment and storage medium | |
| CN107818501B (en) | Actuarial method and device | |
| CN114564349A (en) | Server monitoring method and device, electronic equipment and storage medium | |
| WO2022089249A1 (en) | Information acquisition method and apparatus, server, and storage medium | |
| CN113626387A (en) | Task data export method and device, electronic equipment and storage medium | |
| CN114327988A (en) | Visual network fault relation determining method and device | |
| CN113158497A (en) | Online service experiment method and device, computer equipment and storage medium | |
| CN112650741A (en) | Abnormal data identification and correction method, system, equipment and readable storage medium | |
| CN110942252A (en) | Method and device for diagnosing and evaluating reform enterprise, server and system for diagnosing and evaluating reform enterprise |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |